X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FProtocol%2FActivityPub%2FReceiver.php;h=c074e49f6c8d95b1ddd9fb2067174fb08ca9270b;hb=ced4911c4ab268c9e502a3c3e1aa43ebda837044;hp=686ac8be327ecbe8f1235bf706e475c9a55fce10;hpb=d577ab98eb0f28f9f807795f54c87d80ef9c0dc2;p=friendica.git

diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php
index 686ac8be32..c074e49f6c 100644
--- a/src/Protocol/ActivityPub/Receiver.php
+++ b/src/Protocol/ActivityPub/Receiver.php
@@ -309,6 +309,16 @@ class Receiver
 
 		}
 
+		// Don't trust the source if "actor" differs from "attributedTo". The content could be forged.
+		if ($trust_source && ($type == 'as:Create') && is_array($activity['as:object'])) {
+			$actor = JsonLD::fetchElement($activity, 'as:actor');
+			$attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo');
+			$trust_source = ($actor == $attributed_to);
+			if (!$trust_source) {
+				Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG);
+			}
+		}
+
 		// $trust_source is called by reference and is set to true if the content was retrieved successfully
 		$object_data = self::prepareObjectData($activity, $uid, $trust_source);
 		if (empty($object_data)) {